Upload
callie-steveson
View
215
Download
0
Embed Size (px)
Citation preview
R o m a n S c h l e g e lC i t y U n i v e r s i t y o f H o n g K o n g
K e h u a n Z h a n g
X i a o y o n g Z h o u
M e h o o l I n t w a l a
A p u K a p a d i a
X i a o F e n g Wa n gI n d i a n a U n i v e r s i t y B l o o m i n g t o n
N D S S S Y M P O S I U M 2 0 11報告人:張逸文
Soundcomber :A Stealthy and Context-Aware Sound Trojan for
Smartphones
2
Outline
IntroductionOverviewContext-Aware Information CollectionStealthy Data TransmissionDefense ArchitectureEvaluationDiscussionConclusion
3
Introduction( 1/2)
Full-fledged computing platformsThe plague of data-stealing malware
Sensory malware, ex: video camera, microphoneSecurity protections
Java virtual machines on Android Anti-virus Control installing un-trusted software
Tow new observations Context of phone conversation is predictable and fingerprinted Built-in covert channel
4
Introduction( 2/2)
Main goal: Extract a small amount of high-value private data from phone
conversations and transmit it to a malicious partyMajor contributions:
Targeted, context-aware information discovery from sound recordings
Stealthy data transmission Implementation and evaluation Defensive architecture
5
Outline
IntroductionOverviewContext-Aware Information CollectionStealthy Data TransmissionDefense ArchitectureEvaluationDiscussionConclusion
8
Outline
IntroductionOverviewContext-Aware Information CollectionStealthy Data TransmissionDefense ArchitectureEvaluationDiscussionConclusion
9
Context-Aware Information Collection( 1/7)
monitor the phone state identify, record, analysis, extract
1. Audio recording2. Audio processing3. Targeted data extraction
using profiles
10
Context-Aware Information Collection( 2/7)
1. Audio recording When to record
Whenever the user initiates a phone call Recording in the background Determining the number called
intercept outgoing phone calls / read contact data the first segment compare with keywords in database relevant, non-overlapping keywords minimize necessary permissions
11
Context-Aware Information Collection( 3/7)
2. Audio processing decode file speech/tone recognition speech/tone extraction
12
Context-Aware Information Collection( 4/7)
a) tone recognition DTMF( dual-tone multi-frequency)
signaling channel to inform mobile phone network of the pressed key aural feedback leaks to side-channel Goertzel’s algorithm
13
Context-Aware Information Collection( 5/7)
b. Speech recognition Google service: speech recognition functionality PocketSphinx Segmentation --- contain speech
sound
silence
n
jxn
thrk
thrk
gthr
n
k
kf
g
n
jsk
f
s
Recordin
0
Recordin
2
0
1
1
14
Context-Aware Information Collection( 6/7)
3. Targeted data extraction using profiles focus on IVRs ( Interactive Voice Response system)
Phone menus based on predetermined profiles
15
Context-Aware Information Collection( 7/7)
general profiles Speech signatures Sequence detection Speech characteristics
16
Outline
IntroductionOverviewContext-Aware Information CollectionStealthy Data TransmissionDefense ArchitectureEvaluationDiscussionConclusion
17
Stealthy Data Transmission
Processing centrally isn’t idealNo local processing on 1 minute recording → 94KBCredit card number → 16 bytesLegitimate, existing application with network accessA paired Trojan application with network access and
communication through covert channel
18
Leveraging third-party applications
Permission mechanism only restricts individual application Ex: using browser open URL http : // target ? number=N
drawback: more noticeable due to “foreground” Ads to cover
19
Covert channels with paired Trojans( 1/4)
paired Trojans: Soundminer, DelivererInstallation of paired Trojan applications
Pop-up ad. Packaged app.
Covert channels on the smartphone Vibration settings Volume settings Screen File locks
20
Covert channels with paired Trojans( 2/4)
Vibration settings any application can change the vibration settings communication channel: every time the setting is changed, the system
sends a notification to interested applications saving and restoring original settings at opportune times no permissions needed not leave any traces
21
Covert channels with paired Trojans( 3/4)
Volume settings not automatically broadcasted set and check the volume alternatively 3 bits per iteration Sending at times
Reading at times miss a window
Screen invisible visible channel covert channel: screen settings prevent the screen from actually turning on permission WAKE_LOCK
11000
,......,0,ti
msktkt is
2iis ttkt
22
Covert channels with paired Trojans( 4/4)
File locks exchange information through competing for a file lock signaling files, S1,……,Sm
one data file S1~Sm/2 for Soundminer , Sm/2+1~Sm for Deliverer
23
Outline
IntroductionOverviewContext-Aware Information CollectionStealthy Data TransmissionDefense ArchitectureEvaluationDiscussionConclusion
24
Defense Architecture
add a context-sensitive reference monitor to control the AudioFinger service
block all applications from accessing the audio data when a sensitive call is in progress
Reference Service RIL( radio interface layer) enter/leave a sensitive state
Controller Embedded in the AudioFinger service Exclusive Mode / Non-Exclusive Mode
25
Outline
IntroductionOverviewContext-Aware Information CollectionStealthy Data TransmissionDefense ArchitectureEvaluationDiscussionConclusion
26
Evaluation( 1/2)
Experiment settings Environment Service hotline detection Tone recognition Speech recognition --- getrusage() Profile-based data discovery --- extracted high-value information Cover channel study --- bandwidth in bits per second Reference monitor
27
Evaluation( 2/2)
Experiment results Effectiveness
Service hotline detection Tone/speech recognition Detection by anti-virus applications
Performance
28
Outline
IntroductionOverviewContext-Aware Information CollectionStealthy Data TransmissionDefense ArchitectureEvaluationDiscussionConclusion
30
Conclusion
Soundminer, innocuous permissionsDefense on sensor data stealingHighlighted the threat of stealthy sensory malware